Cyber Incident Victim: LimeVPN
Date:
Jun 2021
Location:
United States of America
Summary
A VPN provider experienced a security breach resulting in the theft of approximately 69,000 user records, including plaintext passwords, IP addresses, billing details, and private keys enabling traffic decryption. The attacker claimed responsibility for both the data theft and the subsequent takedown of the company’s website, which displayed malware infection warnings. Stolen information was offered for sale on a cybercrime forum, with samples revealing transaction histories and subscriber names but excluding direct payment-card data due to third-party processing. Researchers independently verified the breach after reviewing leaked data samples and communicating with the perpetrator, while the affected organization acknowledged unauthorized access to its backup server and initiated credential resets alongside a system audit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 29, 2021, an attacker using the alias "slashx" breached LimeVPN’s systems, exfiltrating a database containing 69,400 user records. The stolen data included usernames, plaintext passwords, IP addresses, billing information, and public and private keys of LimeVPN users. The hacker advertised the entire database for sale on RaidForums, initially listing 10,000 records for $400 before expanding the offering to the full dataset. Researchers from PrivacySharks and RestorePrivacy independently verified the breach after communicating with the attacker and reviewing sample data. The hacker claimed the intrusion resulted from a security vulnerability rather than insider involvement or prior compromise. By June 30 or July 1, LimeVPN’s website became inaccessible, with PrivacySharks reporting that Malwarebytes antivirus blocked access due to detection of a potential trojan infection on the site. LimeVPN confirmed the breach to researchers, attributing the website outage to the same attacker and disclosing that a backup server had been compromised. The company stated it had reset access credentials and initiated a system audit.
Analysis of the stolen data samples revealed transaction details—including payment amounts, methods, and full names of current subscribers—with some records dated as recently as the week of the breach. While payment card numbers and bank details were absent due to LimeVPN’s use of the third-party processor WHMCS, the hacker asserted possession of the entire WHMCS database. The exposure of private keys posed critical risks, as attackers could decrypt users’ VPN traffic. Researchers emphasized the breach’s implications for social engineering attacks, phishing campaigns, and identity theft due to the availability of identifiable user information despite LimeVPN’s no-logs policy. The incident highlighted security vulnerabilities in VPN providers’ infrastructure, particularly concerning the storage of cryptographic keys and user credentials. No evidence suggested the compromise extended beyond LimeVPN’s systems to WHMCS itself. LimeVPN had not publicly addressed logging practices or provided additional remediation details beyond credential resets and audits at the time of reporting.